Every U.S. state, plus D.C., Guam, Puerto Rico, and the U.S. Virgin Islands, has its own data breach notification law. These laws require organizations to notify affected individuals, and often the state attorney general, when certain types of personal information are accessed or acquired without authorization.
Although the details vary by state, the overall framework is consistent:
organizations must provide timely, accurate, and transparent notice when a breach risks harm to residents.
⭐ What Triggers State AG Notification?
A breach becomes reportable when:
- Personal information (PI) is accessed, acquired, or reasonably believed to have been accessed or acquired without authorization, and
- The incident creates a risk of harm to affected individuals (in many states), or
- The incident meets a strict statutory definition of a breach (in others)
Common types of PI that trigger notification:
- Social Security numbers
- Driver’s license or state ID numbers
- Financial account or payment card numbers
- Medical or health insurance information
- Biometric identifiers
- Online account credentials
- Taxpayer information
- Genetic data (in some states)
Some states (e.g., California, Virginia, Colorado) have broader definitions that include additional categories of sensitive data.
🧭 When Must the State Attorney General Be Notified?
Most states require AG notification when:
- A breach affects a threshold number of residents (commonly 500, 1,000, or more), or
- The breach involves sensitive categories of data, or
- The organization is required to notify any residents (in a few states)
Examples:
- California: Notify AG if 500+ residents are affected
- New York: Notify AG for any reportable breach
- Texas: Notify AG if 250+ residents are affected
- Florida: Notify AG if 500+ residents are affected
- Colorado: Notify AG for any breach involving PI
Because thresholds vary, multi‑state breaches often require multiple AG notifications.
📅 Notification Timelines
Most states require notification:
- “Without unreasonable delay”
- Often with a maximum deadline, commonly 30, 45, or 60 days
Examples:
- Florida: 30 days
- Colorado: 30 days
- New York: “Without unreasonable delay”
- California: “In the most expedient time possible”
- Ohio: 45 days
- Vermont: 14 days (one of the fastest)
If law enforcement determines that notification would impede an investigation, most states allow a temporary delay.
📄 What Must Be Included in the AG Notice?
While requirements vary, AG notices typically must include:
- Description of the incident
- Date of breach and date of discovery
- Types of personal information involved
- Number of affected residents
- Steps taken to contain and remediate the breach
- Whether law enforcement is involved
- Sample copy of the consumer notification letter
Some states require additional detail, such as:
- Whether encryption was used
- Whether the breach involved a third‑party vendor
- Whether credit monitoring is being offered
🧩 Consumer Notification Requirements
In addition to AG notification, organizations must notify affected individuals. Requirements vary but generally include:
- Clear description of the incident
- Types of data involved
- Steps individuals can take to protect themselves
- Contact information for the organization
- Information about credit monitoring (required in some states)
Several states (e.g., California, Connecticut, Delaware) require free credit monitoring when Social Security numbers are involved.
🔐 Special Rules for Certain Data Types
Some states impose enhanced requirements for:
- Health information
- Biometric data
- Children’s data
- Online account credentials
- Taxpayer information
For example, Illinois’ Biometric Information Privacy Act (BIPA) imposes strict obligations for biometric data.
⚠️ Penalties for Non‑Compliance
State AGs may impose:
- Civil penalties
- Injunctions
- Corrective action requirements
- Public enforcement actions
- Per‑record or per‑day fines (varies by state)
Some states (e.g., California, Colorado, Virginia) also allow private rights of action for certain breaches.